Future of Digital Security

Crypto and Web3: Anticipating Security and Regulatory Challenges

Zoë Brammer

By Zoë Brammer on September 20, 2022

In the first of this two-post series I argued that Web3 relies on many of the same principles and technologies that underpin cryptocurrency. In this post, I will show how Web3 poses risks to reliable cryptocurrency exchange and how cryptocurrencies may introduce many of their destabilizing challenges into the Web3 environment.

Web3 can be understood as a new proposal for Internet structure, one that changes the way we perceive, process, and store content and data. Notionally, Web3 would evolve the Internet into a tokenized economy that allows users to read, write, and execute contracts without third-party intermediaries. Cryptocurrency and Web3 operate on many of the same concepts and technologies, including decentralization, peer to peer networking, and the blockchain, and as a result many of the issues identified with cryptocurrency are likely to introduce instability and new security concerns to the Web3 space. 

As described below, these challenges are fourfold. First, concerns around the possible fallout from user-maintained spaces include the potential for increased cybersecurity risk and data breaches caused by lax adoption of security best practices by users. Second, the use of cryptocurrency as legal tender is likely to exacerbate existing regulatory and security challenges. Third, the influx of new information stored on the blockchain will make it even more difficult to identify transactions and other information on the blockchain. Finally, the lack of jurisdictional clarity in the Web3 space will lead to additional regulatory challenges. 

Web3 Challenges

User-Maintained Spaces

Platforms and apps built on Web3 will be operated by users in a decentralized fashion, with the ultimate aim to empower users with ownership over their data and its monetization. Web3 will allow individuals to decide how they want to collect and store their data—and if and when they want to sell it—and users will earn their ownership stake by helping to develop and maintain Web3 services. 

Web3 will thus be maintained by the users that help create it, and if these users are not implementing proper cyber hygiene and protecting their own data and privacy, there will likely be few other enforcement mechanisms in place. This represents an intrinsic risk to the security of Web3 infrastructure itself. When tech companies transfer the protection of a user’s data and privacy to the individual, new, potentially massive security and privacy vulnerabilities are likely to arise. This transition will also remove any hierarchical authority over users in the ecosystem, leaving the security of Web3 at risk without a clear system to fix it.

Cryptocurrency as Legal Tender

Given the virtual nature of Web3 and the overarching push toward decentralization, cryptocurrency in some form is likely to be considered legal tender in Web3, meaning that many transactions in this new space will occur using virtual currencies and will be maintained on the blockchain. The widespread use of, and looming dependence on cryptocurrency, while appealing to some, will also increase the ease with which bad actors can skirt existing financial regulations in the Web3 space. One example of this activity already unfolding is sanctions evasion, an area where malign actors exploit the pseudonymity and lack of regulation of cryptocurrency.

During the March 2022 Russian invasion of Ukraine, for example, Moscow began to engage in sanctions evasion by moving from fiat to cryptocurrencies at a massive scale. In the weeks after the invasion began, the West imposed stringent sanctions on Russia, the ruble crashed, and the Russian cryptocurrency market ballooned. Russian entities prepared to blunt some of the worst effects of these sanctions by making cryptocurrency-based deals to support the invasion. 

Entities looking to skirt sanctions can use digital currencies to bypass the control points that governments rely on–mainly transfers of money by banks–to block monetary transactions to and from sanctioned entities. Many banks have to abide by “know your customer” (KYC) rules, which include verifying their clients’ identities, but KYC in the cryptocurrency space poses a more complicated compliance challenge. Exchanges and other platforms that facilitate the buying and selling of cryptocurrencies and digital assets are rarely as good at tracking their customers. Last year, 74% of ransomware proceeds went to Russian-linked hackers, and in October 2020, representatives of Russia’s central bank told a Moscow newspaper that the new digital ruble would make the country less dependent on the United States and better able to resist sanctions.  

Companies dealing in cryptocurrency must work harder in order to validate the identities of the customers using their digital services and understand the details of transactions that they are facilitating to uphold legal restrictions and prevent engagement with sanctioned actors.

Losing the Signal in the Noise

The rise of Web3 is also likely to exacerbate existing problems in the cryptocurrency ecosystem by increasing the volume of information stored on the blockchain and making it exponentially more difficult to sift through the available data. Tracking ransomware payments and criminal activities on the blockchain takes a lot of time and energy already because of the pseudonymity of many cryptocurrencies and the ability to “chain hop” or move between different blockchains. Web3 is likely to spur the widespread adoption of numerous new avenues to move across the ecosystem, including non-fungible tokens (NFTs) and decentralized autonomous organizations (DAOs). 

There will also be an increase in blockchain uses like smart contracts and smart property, which will remove the existing intermediaries that regulate economic exchanges, like banks. Cryptocurrency supporters applaud the removal of these intermediaries where possible, but intermediaries provide both transparency and expertise and can provide and even require added security for these processes. 

Web3 Regulatory Jurisdiction

Compounding the aforementioned concerns about the security of Web3, it is becoming increasingly evident that Web3, like the current Internet, will fall outside of the exclusive jurisdiction of any regulatory body. The U.S. government has been slow to regulate tech companies, who are now designing the next iteration of the Internet, and cryptocurrency and blockchain technologies, which will form the backbone of this new structure. Since the goal of Web3 is to achieve decentralization—in large part to skirt government regulation and oversight—absent a significant policy shift, there will not be a monopoly on regulatory power in the development of the next iteration of the Internet.

While this may sound like an opportunity for a fairer system, tech companies stand to gain that power. They are buying into proposals for the next generation of the Internet at a massive scale, enabling them to buy majority control over Web3 if the government does not step in to regulate the underlying technology. 

Unfortunately, some regulatory efforts actually benefit big tech. The primary solution for the environmental strain posed by cryptocurrency technology would transfer even more power into the hands of tech companies. The first post of this series explored the proposal to transition from proof of work (PoW) to proof of stake (PoS). Although the environmental incentives for this shift are overwhelming, the movement from PoW to PoS would reward the largest investors in a given cryptocurrency. If this model is extended to Web3 platforms, it would likely result in tech companies holding the most authority over the literal history of the platform as it is written into the blockchain.

International institutions like the World Bank and the International Monetary Fund (IMF) may be able to play a role in mitigating this race to the top. Hints of an international institution approach emerged in June 2021, when the World Bank rejected El Salvador’s request to help implement Bitcoin as legal tender, citing concerns over transparency and the environmental impact of bitcoin mining. In a statement, they said that while “the government [of El Salvador] did approach us for assistance on Bitcoin, this is not something the World Bank can support given the environmental and transparency shortcomings.”

What to Expect

With the window of opportunity to preempt the extension of cryptocurrency regulatory gaps into the Web3 ecosystem closing, there are a number of avenues for regulators and other policy makers to pursue. One avenue is to turn to international institutions to set the norms in this space, but it is unlikely that these organizations will take a firm stance on the issue any time soon, reverting regulation to the national level. Andreessen Horowitz (a16z) has advocated for a federal government-appointed “Web3 Czar” who would be tasked with all things Web3. This may be a good place to start, but it will not resolve all of the aforementioned regulatory gaps and security concerns likely to arise with the adoption of Web3.  

Legislative approaches may offer the most sustainable solutions. But more recent legislation around cybersecurity, such as the Strengthening American Cybersecurity Act of 2022, contains almost no mention of cryptocurrency and only references it briefly in the context of ransomware payments. 

More stringent requirements around reporting and transparency are likely, however, and could follow in the footsteps of New York State’s BitLicensing scheme, which requires individuals and companies that engage in virtual currency business activity to develop and implement compliance protocols and submit to affidavits, questionnaires, background investigations, and more. These types of compliance protocols would more closely align anti-money laundering efforts, including KYC, in the cryptocurrency space with those in the fiat currency space. 

The March 2022 Executive Order, Ensuring Responsible Development of Digital Assets, is another good step toward developing policy for cryptocurrency technologies, but it stops short of addressing any of the major concerns laid out in this blog series. 

Regardless, there is very little direct regulation that targets cryptocurrency today. Most of the existing regulation aims to define virtual currency and place it in the existing financial ecosystem, but lawmakers have been slow to introduce legislation that targets underlying cryptocurrency technologies. Where existing regulations have been extended into the space, their purview will change in tandem with the way we define aspects of the landscape such as utility and property in Web3.

As a result, it is likely that we will enter Web3 in a similarly underregulated ecosystem, where users aiding in the development of Web3 may not be able to maintain the very platform they are building, where new security weaknesses are introduced, and where new challenges in the Web3 space may be especially difficult to solve.